Cheers to all the teams on sev1 calls on their holidays, we can only hope their adversaries are also trying to spend time with family. LangGrinch, indeed! (I get it, timely disclosure is responsible disclosure)
The best part about this is that you know the type of people/companies using langchain are likely the type that are not going to patch this in a timely manner.
I am not sure what's the stereotype, but I tried using langchain and realised most of the functionality actually adds more code to use than simply writing my own direct API LLM calls.<p>Overall I felt like it solves a problem doesn't exist, and I've been happily sending direct API calls for years to LLMs without issues.
CVE-2025-68664 (<i>langchain-core</i>): object confusion during (de)serialization can leak secrets (and in some cases escalate further). Details and mitigations in the post.
WHY on earth did the author of the CVE feel the need to feed the description text through an LLm? I get dizzy when I see this AI slop style.<p>I would rather just read the original prompt that went in instead of verbosified "it's not X, it's **Y**!" slop.
> WHY on earth did the author of the CVE feel the need to feed the description text through an LLm?<p>Not everyone speaks English natively.<p>Not everyone has taste when it comes to written English.
If I want to cleanup, summarize, translate, make more formal, make more funny, whatever, some incoming text by sending it through an LLM, I can do it myself.